Listen to this Post
How the mentioned CVE works:
This Cross-Site Scripting (XSS) vulnerability exists within the attribute table component of the QGIS QWC2 web client. An attacker with authorized access to the system can inject malicious JavaScript code into the application. This is typically achieved by submitting crafted payloads into data fields that are subsequently rendered in the attribute table. When other authorized users view the compromised table entry, the embedded script executes within their browser session. This allows the attacker to steal session cookies, perform actions on behalf of the user, or deface the application, all without directly compromising the backend server.
Platform: QGIS QWC2
Version: < 2025.08.14
Vulnerability : Cross-Site Scripting
Severity: Moderate
date: 2025-10-13
Prediction: 2025-10-27
What Undercode Say:
Searching for potential XSS patterns in QWC2 components
grep -r "innerHTML" /path/to/qwc2/static/
find /path/to/qwc-demo-config -name ".json" -exec grep -l "attributeTable" {} \;
// Example of an unsafe rendering in a legacy component
document.getElementById('featureInfo').innerHTML = untrustedUserData;
How Exploit:
Attacker logs in, inputs `` into an attribute field. The payload is stored. When a victim user views the attribute table, the script executes, potentially sending their session cookie to an attacker-controlled server.
Protection from this CVE:
Upgrade to QWC2 version 2025.08.14 or later. Sanitize all user-supplied data before rendering it in the DOM. Implement a Content Security Policy (CSP). Use secure alternatives to innerHTML, such as textContent.
Impact:
Session hijacking, unauthorized actions, data theft.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
